Backup Migration WordPress Plugin Vulnerability

The WordPress Backup Migration Plugin is a powerful tool for simplifying the backup and migration process of WordPress websites, offering a range of easy-to-use features.

Recently, CDNetworks Security Lab discovered a remote code execution vulnerability in versions of the Backup Migration plugin older than 1.3.8. This vulnerability has been rated 9.8 in CVSS 3.1 with a critical danger level. It allows malicious attackers to remotely execute commands on the target website via backdoor access, thereby gaining complete control of the site.

The conditions for exploiting this vulnerability are relatively straightforward but have wide-ranging impacts. To prevent exploitation, enterprises should check the version of this plugin and fix the relevant vulnerabilities or, even better, introduce web protection solutions.

In this quick guide, we run through an analysis of the vulnerability.

Vulnerability Analysis & Replication

The vulnerability exists in the plugin file /includes/backup-heart.php. The first step to replicating this vulnerability is to locate this file and set a breakpoint. You then perform dynamic debugging by sending data to the path /wp-content/plugins/backup-backup/includes/backup-heart.php. When the server receives the data, it is found that the request header data is stored in the variable $fields.

WordPress Backup Migration Plugin Vulnerability_01

Continuing further, we can see that the field values in $fields are defined as constants. The main focus here is on the constants BMI_ROOT_DIR and BMI_INCLUDES. The value of BMI_ROOT_DIR is determined by the content-dir value in the request header, and the value of BMI_INCLUDES is formed by concatenating BMI_ROOT_DIR with “includes”.

WordPress Backup Migration Plugin Vulnerability_02WordPress Backup Migration Plugin Vulnerability_02

Additionally, it is found that BMI_INCLUDES is concatenated with “bypasser.php” and included using the require_once function. As a result, the parameter of require_once is controllable, making this a typical file inclusion vulnerability.

WordPress Backup Migration Plugin Vulnerability_03WordPress Backup Migration Plugin Vulnerability_03

In some encodings, a fixed prefix is used as the starting character of the encoding. Below are characters for different encodings. For example, in Korean character encoding (ISO-2022-KR), the encoded message must begin with the sequence “x1b$)C”.

Encoding Identifier Prepended Characters
ISO2022KR x1b$)C
UTF16 xffxfe
UTF32 xffxfex00x00

There are almost 7,000 languages spoken worldwide. Various printable characters are necessary to facilitate global internet communication.

The basic ASCII encoding table is well-known, but it has limitations. It cannot express Japanese characters or include symbols such as “λ”, “ν”, “π” from the Greek alphabet. To display characters from other languages and emojis like “☺”, various encoding tables have been developed.

These encoding tables can convert characters from one language to another. The conversion process is affected by factors such as encoding length, and prefix characters and may even generate new characters.

On the host, we can use iconv -l to view the supported encoding conversion tables.

WordPress Backup Migration Plugin Vulnerability_04WordPress Backup Migration Plugin Vulnerability_04

These conversion tables can be used via the php://convert.iconv.*.* filter. For example, convert.iconv.CP861.UTF-16 means converting the file’s character encoding from CP861 to UTF-16.

In the following code example, by converting the string “START” through ‘CP861’, ‘UTF16’, ‘L4’, and ‘GB13000’ encodings, it is possible to insert a new character ‘B’ at the beginning of the string.

WordPress Backup Migration Plugin Vulnerability_05WordPress Backup Migration Plugin Vulnerability_05

WordPress Backup Migration Plugin Vulnerability_06WordPress Backup Migration Plugin Vulnerability_06

So how do we handle the junk characters generated during encoding conversion? In PHP, base64 decoding has a feature where it only recognizes the 64 characters ‘0-9’, ‘a-z’, ‘A-Z’, ‘/’, ‘+’, and the padding character ‘=’. If the string to be decoded contains other characters, PHP will directly ignore these characters and concatenate the remaining recognizable characters for decoding. For example:

WordPress Backup Migration Plugin Vulnerability_07WordPress Backup Migration Plugin Vulnerability_07

As you can see, during decoding, characters such as ‘@&>>_’ in the string are automatically ignored. We can use the loosely parsed base64 decoding to eliminate junk characters generated during the encoding conversion process. It is important to note that if the junk characters include ‘=’, which can affect the decoding of the convert.base64-decode filter, we can use UTF-7 encoding to convert the ‘=’ sign into another symbol without affecting the decoding of the convert.base64-decode filter.

Using the above method, we can generate arbitrary base64 characters. After decoding the generated base64 characters, we can obtain any original characters. Finally, we concatenate the constructed original payload with php://filter/{filter}/resource=php://temp (specifying resource=php://temp allows appending any .php file to ensure the path is valid). The payload is written to a file, and by including the file using require_once, we achieve file inclusion to code execution.

On GitHub, an author has written an encoding conversion tool that can quickly use the php://convert.iconv.*.* filter to generate the corresponding base64 characters.

WordPress Backup Migration Plugin Vulnerability_08WordPress Backup Migration Plugin Vulnerability_08

WordPress Backup Migration Plugin Vulnerability_09WordPress Backup Migration Plugin Vulnerability_09

The payload generated by this script is set as the value of the request header content-dir.

WordPress Backup Migration Plugin Vulnerability_10WordPress Backup Migration Plugin Vulnerability_10

It is evident that the malicious code generated after the encoding conversion is successfully written and included, completing the process from file inclusion to code execution.

WordPress Backup Migration Plugin Vulnerability_11WordPress Backup Migration Plugin Vulnerability_11

Set up locally using WordPress 6.4.3 + Backup Migration Plugin 1.3.6. Use the php_filter_chain tool to generate the payload code for the out.txt`; ?>` command.
(https://github.com/synacktiv/php_filter_chain_generator/blob/main/php_filter_chain_generator.py

WordPress Backup Migration Plugin Vulnerability_12WordPress Backup Migration Plugin Vulnerability_12

Copy the result as the value of the content-dir in the request header and send the data packet to the path http://localhost/wordpress/wp-content/plugins/backup-backup/includes/backup-heart.php.

WordPress Backup Migration Plugin Vulnerability_13WordPress Backup Migration Plugin Vulnerability_13

Access http://localhost/wordpress/wp-content/plugins/backup-backup/includes/out.txt. Which will allow you to see that the execution result of the system command date has been written into the out.txt file.

WordPress Backup Migration Plugin Vulnerability_14WordPress Backup Migration Plugin Vulnerability_14

Vulnerability Remediation Solution

The latest version of the Backup Migration Plugin has fixed this issue, and we recommend updating to the latest version as soon as possible.

Minimizing Vulnerability: CDNetworks’ Cloud Security 2.0

CDNetworks’ Cloud WAF provides immediate protection against this vulnerability exploitation. It continuously investigates and analyzes other variant attack methods and various component vulnerabilities, promptly deploying protection rules to minimize the “window of vulnerability” for businesses.

In a recent month, CDNetworks upgraded its Cloud Security solution to Cloud Security 2.0, introducing several key features of WAF:

  • Built-in Ruleset: Over 1,000 rulesets for 0-day/N-day and OWASP Top 10 attacks.
  • Intelligent Analysis (Self-Tuning): AI-driven learning of user behaviors, automatically generating rule exceptions to reduce false positives.
  • Virtual Patch for 0-day Attacks: Continuous monitoring of vulnerabilities, generating new rules hourly.
  • Managed Protection Mode with AI Tech:  Enhanced threat detection and response.
  • Scalability and Ease of Deployment: Scaling on demand with easy deployment.

By integrating these features, CDNetworks aims to meet the evolving security needs of businesses in the APAC region, ensuring organizations remain protected in a competitive market.